Speaking in front of an audience of 300 security specialists at a conference last year, the head of the Department of Homeland Securityís Industrial Control Systems Cyber Response team (ICS-CERT) made a dire pronouncement: the department saw an increase in attacks on industrial control systems in 2015, and he was "dismayed" by the accessibility of some of the networks. To say that many people in that audience (and those who would follow the coverage) were equally dismayed at how to handle the paradox that gave birth to this problem would be an understatement.

The convergence of information technology and industrial technology supplies analytic applications with massive amounts of industrial data, resulting in streamlined operations, improved safety, predictive maintenance, and optimized processes. However, this convergence is occurring in an environment that was never designed to be accessible from the outside world. Security strategy for operational technology (OT) was developed decades ago, under the assumption that restricting physical access to industrial control systems and networks was enough to protect them. The simple truth is that OT grew independent of IT, with no intention to integrate the two. Over time, the reliance on physical protection approaches proved to be short-sighted and insufficient due to the integration of business and industrial systems, and the expansion of remote management. For manufacturing, transportation, and critical infrastructure, this reliance is creating enormous risks with potentially catastrophic outcomes.